fix(auth): lookup user role from membership for mesh JWT and API keys

[vibegui]

Previously, mesh JWT tokens and API keys didn't include the user's organization role, preventing admin/owner bypass in access control. This adds role lookup from the member table for both auth methods.

What is this contribution about?

Describe your changes and why they're needed.

Screenshots/Demonstration

Add screenshots or a Loom video if your changes affect the UI.

Review Checklist

• PR title is clear and descriptive
• Changes are tested and working
• Documentation is updated (if needed)
• No breaking changes

---

Summary by cubic

Fixes missing organization role in auth for mesh JWTs and API keys. We now look up member.role by userId and attach it to user in the request context, so admin/owner bypass works.

^{Written for commit af54a44. Summary will update on new commits.}

[github-actions]

🧪 Benchmark

Should we run the MCP Gateway benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

[github-actions]

Release Options

Should a new version be published when this PR is merged?

React with an emoji to vote on the release type:

Reaction	Type	Next Version
👍	Prerelease	1.0.18-alpha.1
🎉	Patch	1.0.18
❤️	Minor	1.1.0
🚀	Major	2.0.0

Current version: 1.0.17

Deployment

• Deploy to production (triggers ArgoCD sync after Docker image is published)

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/mesh/src/core/context-factory.ts">

<violation number="1" location="apps/mesh/src/core/context-factory.ts:478">
P1: Role lookup query doesn&#39;t filter by organization. A user with memberships in multiple organizations could get the wrong role (e.g., &#39;member&#39; role from Org A instead of &#39;owner&#39; from Org B), breaking the admin/owner bypass. Add `.where(&quot;member.organizationId&quot;, &quot;=&quot;, meshJwtPayload.metadata?.organizationId)` to scope the query.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Role lookup query doesn't filter by organization. A user with memberships in multiple organizations could get the wrong role (e.g., 'member' role from Org A instead of 'owner' from Org B), breaking the admin/owner bypass. Add .where("member.organizationId", "=", meshJwtPayload.metadata?.organizationId) to scope the query.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/mesh/src/core/context-factory.ts, line 478:

<comment>Role lookup query doesn&#39;t filter by organization. A user with memberships in multiple organizations could get the wrong role (e.g., &#39;member&#39; role from Org A instead of &#39;owner&#39; from Org B), breaking the admin/owner bypass. Add `.where(&quot;member.organizationId&quot;, &quot;=&quot;, meshJwtPayload.metadata?.organizationId)` to scope the query.</comment>

<file context>
@@ -472,10 +472,22 @@ async function authenticateRequest(
+        // Look up user&#39;s organization role for admin/owner bypass
+        let role: string | undefined;
+        if (meshJwtPayload.sub) {
+          const membership = await db
+            .selectFrom(&quot;member&quot;)
+            .select([&quot;member.role&quot;])
</file context>